From: John Reiser <jreiser@bitwagon.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
James Morris <jmorris@namei.org>,
Roland McGrath <roland@redhat.com>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: binfmt_elf PT_INTERP gets EFAULT if no PROT_WRITE
Date: Tue, 08 Sep 2009 17:26:59 -0700 [thread overview]
Message-ID: <4AA6F653.1010007@bitwagon.com> (raw)
In fs/binfmt_elf.c, routine load_elf_interp() calls padzero() for .bss
even if the PT_LOAD has no PROT_WRITE and no .bss. This generates EFAULT.
One easy way to avoid trouble is that a PT_LOAD with no PROT_WRITE
should skip the .bss calculation entirely.
Here is a small test case. (Yes, there are other, useful PT_INTERP
which have only .text and no .data/.bss.)
----- ptinterp.S
_start: .globl _start
nop
int3
-----
$ gcc -m32 -nostartfiles -nostdlib -o ptinterp ptinterp.S
$ gcc -m32 -Wl,--dynamic-linker=ptinterp -o hello hello.c
$ ./hello
Segmentation fault # during execve() itself
After applying the patch:
$ ./hello
Trace trap # user-mode execution after execve() finishes
Signed-off-by: John Reiser <jreiser@BitWagon.com>
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index b7c1603..3b9a097 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -488,7 +488,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
* keep track of the largest address we see for this.
*/
k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
- if (k > elf_bss)
+ if (k > elf_bss && PROT_WRITE & elf_prot)
elf_bss = k;
/*
@@ -496,7 +496,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
* elf_bss and last_bss is the bss section.
*/
k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
- if (k > last_bss)
+ if (k > last_bss && PROT_WRITE & elf_prot)
last_bss = k;
}
}
--
next reply other threads:[~2009-09-09 0:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-09 0:26 John Reiser [this message]
2009-09-09 2:49 ` binfmt_elf PT_INTERP gets EFAULT if no PROT_WRITE Roland McGrath
2009-09-10 10:12 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AA6F653.1010007@bitwagon.com \
--to=jreiser@bitwagon.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roland@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.